* Fri Jan 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.7-2

- Fix fixfiles patch
- Upgrade to latest from NSA
	* Prevent overflow of spec array in setfiles.
- Add diff comparason between file_contexts to fixfiles
- Allow restorecon to give an warning on file not found instead of exiting
This commit is contained in:
Daniel J Walsh 2005-01-28 20:43:44 +00:00
parent a74df22263
commit aba4d96b05
2 changed files with 157 additions and 4 deletions

View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.5/restorecon/restorecon.c diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.7/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2005-01-25 10:32:01.000000000 -0500 --- nsapolicycoreutils/restorecon/restorecon.c 2005-01-25 10:32:01.000000000 -0500
+++ policycoreutils-1.21.5/restorecon/restorecon.c 2005-01-28 10:40:23.000000000 -0500 +++ policycoreutils-1.21.7/restorecon/restorecon.c 2005-01-28 11:38:00.000000000 -0500
@@ -188,7 +188,7 @@ @@ -188,7 +188,7 @@
fprintf(stderr, fprintf(stderr,
"%s: error while labeling files under %s\n", "%s: error while labeling files under %s\n",
@ -9,3 +9,155 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c
+ errors++; + errors++;
} }
} }
else
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.21.7/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2005-01-26 11:30:57.000000000 -0500
+++ policycoreutils-1.21.7/scripts/fixfiles 2005-01-28 15:21:23.000000000 -0500
@@ -37,10 +37,12 @@
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
+ FILE_CONTEXT=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
FC=`mktemp /etc/selinux/${SELINUXTYPE}/contexts/files/file_context.XXXXXX`
- cat /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local > $FC 2> /dev/null
+ cat ${FILE_CONTEXT} ${FILE_CONTEXT}.local > $FC 2> /dev/null
else
- FC=/etc/security/selinux/file_contexts
+ FILE_CONTEXT=/etc/security/selinux/file_contexts
+ FC=${FILE_CONTEXT}
fi
cleanup() {
@@ -60,7 +62,23 @@
echo $1 >> $LOGFILE
fi
}
-
+#
+# Compare PREVious File Context to currently installed File Context and
+# run restorecon on all files affected by the differences.
+#
+diff_filecontext() {
+if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+ TEMPFILE=`mktemp ${FILE_CONTEXT}.XXXXXXXXXX`
+ test -z "$TEMPFILE" && exit
+ /usr/bin/diff $PREFC $FILE_CONTEXT | egrep '^[<>]'|cut -c3-| grep ^/ | \
+ sed -e 's,\\.*,*,g' -e 's,(.*,*,g' -e 's,\[.*,*,g' -e 's,\..*,*,g' \
+ -e 's,[[:blank:]].*,,g' -e 's,\?.*,*,g' | sort -u | \
+ while read pattern ; do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null ; then echo "$pattern"; case "$pattern" in *"*") echo "$pattern" |sed 's,\*$,,g'>> ${TEMPFILE};; esac; fi; done | \
+ while read pattern ; do find $pattern -maxdepth 0 -print; done 2> /dev/null | \
+ ${RESTORECON} $2 -v -f -R -
+ rm -f ${TEMPFILE}
+fi
+}
#
# Log all Read Only file systems
#
@@ -80,6 +98,10 @@
# if called with -n will only check file context
#
restore () {
+if [ ! -z "$PREFC" ]; then
+ diff_filecontext $1
+ exit $?
+fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo $RPMFILES | sed 's/,/ /g'`; do
rpmlist $i | ${RESTORECON} ${OUTFILES} -R $1 -v -f - 2>&1 >> $LOGFILE
@@ -128,7 +150,7 @@
usage() {
echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] "
echo or
- echo $"Usage: $0 -R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] { check | restore }"
+ echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }"
}
if [ $# = 0 ]; then
@@ -137,7 +159,7 @@
fi
# See how we were called.
-while getopts "Fo:R:l:" i; do
+while getopts "C:Fo:R:l:" i; do
case "$i" in
F)
fullFlag=1
@@ -151,6 +173,9 @@
l)
LOGFILE=$OPTARG
;;
+ C)
+ PREFC=$OPTARG
+ ;;
*)
usage
exit 1
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-1.21.7/scripts/fixfiles.8
--- nsapolicycoreutils/scripts/fixfiles.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.21.7/scripts/fixfiles.8 2005-01-28 11:47:18.000000000 -0500
@@ -0,0 +1,64 @@
+.TH "fixfiles" "8" "2002031409" "" ""
+.SH "NAME"
+fixfiles \- fix file security contexts.
+
+.SH "SYNOPSIS"
+.B fixfiles [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel }"
+
+.B fixfiles [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir/file] ... ]
+
+.SH "DESCRIPTION"
+This manual page describes the
+.BR fixfiles
+script.
+.P
+This script is primarily used to correct the security context
+database (extended attributes) on filesystems.
+.P
+It can also be run at any time to relabel when adding support for
+new policy, or just check whether the file contexts are all
+as you expect. By default it will relabel all mounted ext2, ext3, xfs and
+reiser file systems as long as they do not have a security context mount
+option. You can use the -R flag to use rpmpackages as an alternative.
+
+.SH "OPTIONS"
+.TP
+.B -l logfile
+Save the output to the specified logfile
+.TP
+.B -o outputfile
+Save all files that have file_context that differs from the default, in outputfile.
+
+.TP
+.B -F
+Don't prompt for removal of /tmp directory.
+
+.TP
+.B -R rpmpackagename[,rpmpackagename...]
+Use the rpm database to discover all files within the specified packages and restore the file contexts. (-a will get all files in the RPM database).
+.TP
+.B -C PREVIOUS_FILECONTEXT
+Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
+
+.SH "ARGUMENTS"
+One of:
+.TP
+.B check
+show any incorrect file context labels but do not change them.
+.TP
+.B restore
+change any incorrect file context labels.
+.TP
+.B relabel
+Prompt for removal of contents of /tmp directory and then change any inccorect file context labels to match the install file_contexts file.
+.TP
+.B [[dir/file] ... ]
+List of files or directories trees that you wish to check file context on.
+
+.SH "AUTHOR"
+This man page was written by Richard Hally <rhally@mindspring.com>.
+The script was written by Dan Walsh <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+.BR setfiles (8), restorecon(8)
+
Binary files nsapolicycoreutils/scripts/fixfiles.8.gz and policycoreutils-1.21.7/scripts/fixfiles.8.gz differ

View File

@ -1,7 +1,7 @@
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.21.7 Version: 1.21.7
Release: 1 Release: 2
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -80,7 +80,8 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog %changelog
* Fri Jan 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.7-1 * Fri Jan 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.7-2
- Fix fixfiles patch
- Upgrade to latest from NSA - Upgrade to latest from NSA
* Prevent overflow of spec array in setfiles. * Prevent overflow of spec array in setfiles.
- Add diff comparason between file_contexts to fixfiles - Add diff comparason between file_contexts to fixfiles